Tuesday, January 10, 2012

This message will self-destruct in five seconds.

(Warning: Spoiler Alert ahead... or maybe not. I mean, it's not like there's some big Shyamalanesque plot-twist at the end of these things...)

The other day a friend said, "You have to go see Mission: Impossible - Ghost Protocol! You will love it, ya know, because you're in security." I'm not really the type that goes and sees every action movie, but I was sufficiently intrigued by the promise that the fourth installment of the series might be a hacker flick. Those are always good for a sobering insight into what Hollywood thinks of our industry or for a laugh. So I went... and I loved it! It was the gadget filled awesomely insane tapestry of extreme action and suspense that we all have come to love and expect from Tom Cruise.

But it didn't seem to me to be a hacker flick. So I messaged my friend and I said, "The gadgets were by far the best in this movie. The story was the most appealing. The actors all had great chemistry. But that isn't why you said I would like it, so please explain, why did you call that a movie about infosec?" He then began recounting all of the scenes where Old Man Cruise has to rappelle from something or dive off something and get something out of some ridiculously locked room. But what he of course noticed that I had been too dazzled to see was that the real heavy lifting in those scenes was done by the team's standard issue hacker character (Simon Pegg). Tom has to go into the vault to get the microfiche (really, still??) but Simon is the one that gets that door open.

The most interesting part though is how the hacking is done. In a cruel twist of fate and conspiracy from the highest levels, the president initiates "Ghost Protocol" and the team becomes exiled with no access to the Carnivore-like CIA network that usually makes things like breaking the encryptions Hollywood-quick. So they're forced to kick it old-school and do a pretty nice variety of physical penetration hacks.

MI:4 has reminded me how effective the physical security attack really is. While today's military grade firewall may be Fort Knox at keeping people out of the tubes, there's really nothing that's going to stop a hacker if they're sitting right in front of the machine. Or if their increasingly disgruntled team leader is sitting in front of the machine with a pocket router after having scaled the sheer side of the tallest building in Dubai using only a suction cup and a fire hose. Or if the guy on the team who was never part of the plan that has to slide down an HVAC shaft into a subterranean server room that without the cooling system has become "an oven", and by the way the walkie-talkies aren't working and the bad guys just cut the satellite feed, is sitting right in front of the machine. Or if the plucky new female agent with a grudge and something to prove floats a balloon holding a wireless connection device over a wall to get into the signal area.... Well, I guess they can't all be extreme, but it shows the excellent point that if your physical security strategy doesn't cover the 50 feet underground and the 15,000 feet of air space above it, you're doomed. (Don't worry the plucky female agent gets extreme redemption when she completes one of our other favorite old-school physical hacks, the 'beating someone with a $5 hammer [xkcd] until they tell you the password' technique.)

Oh, and also everyone on the property should probably be assigned a dog because people are incredibly dumb.